The latest in a series of roundtable discussions on cybersecurity took a look at the business implications of security breaches, how preparation can be a good investment and the role of federal authorities in getting ahead of the bad guys.
It shed light on the shady business of extortion and information theft, which typically involves international players.
Cyber Trends 2023 is produced jointly by the Cyber Center of Excellence (CCOE) and the San Diego Business Journal. The May 4 event was the second quarterly discussion for 2023, and it is available for viewing on the San Diego Business Journal website.
As usual, it was moderated by Lisa Easterly, president and CEO of CCOE, a San Diego-based nonprofit that mobilizes businesses, academia and government to grow the regional cyber economy and create a more secure digital community for all.
“Cybersecurity is now everyone’s business!” Easterly said in kicking off the discussion. “The FBI reports a 300% increase in cybercrime across all industries since the pandemic began with the global cost of a data breach climbing over $4 million. More than half of these costly attacks are aimed at small and medium-sized businesses – our region’s economic engine.
“Now, pair that with the global shortage of cyber professionals to thwart these attacks — to the tune of about 755,000 openings in the U.S. and 10,000 here in San Diego — and it becomes mission critical to address this workforce gap.
“The good news is San Diego is leading the charge with more than 870 cyber firms and the U.S. Navy’s Naval Information Warfare Systems Command. This cluster accounts for more than 24,000 jobs and has a total economic impact of $3.5 billion annually, which is equal to hosting nine Super Bowls! This collaborative ecosystem is developing new technology, defenses and cyber warriors to combat the ever-evolving threat landscape.”
Easterly then introduced the panelists to discuss the evolving cyber risk, insurance and communications landscape.
First to be introduced was Ethan Cramer, supervisory special agent with Homeland Security Investigations (HSI) in San Diego.
“We are the investigative branch for the Department of Homeland Security. I’ve been with the agency since 2010. I have greatly enjoyed my career here,” Cramer said. “We are the oldest federal law enforcement agency in the country. We were born out of the United States Customs Service, and therefore we cover a large investigative portfolio. We cover narcotics, contraband smuggling, financial crimes, human trafficking, global trade and what we’re here to talk about today, which is cybercrime. We have approximately 400 agents serving from Oceanside all the way down to the United States-Mexico border, and from the California coast to the California-Arizona state line.
“The cyber intrusion group here in San Diego consists of 16 individuals, including myself. That is nine special agents and then six cyber analytical support [specialists]. We cover cryptocurrency, dark net and cyber intrusion investigations. And what I’m most proud about, we have a section that does threat hunting and incident response for local and national organizations.
“Just a little bit about myself: I’ve spent the last 13 years in narcotics and financial investigations, and then was lucky enough to be invited over to cyber a couple years ago. And as many people know, it’s a steep learning curve, but I haven’t looked back. I think it’s an exciting field to be in. I think it’s the future and I think we need to have more people in it.”
“We’re glad to have you as one of our Caped Crusaders,” Easterly said with a grin. She then introduced Kevin Dinino, president of KCD PR.
“We are a full-service marketing and communications agency,” Dinino said. “I’m based here in San Diego. We have team members all across the country. We work with a wide variety of clients ranging from cybersecurity companies to clients in the financial technology, high technology and financial services space. So the topic of cybersecurity is definitely one that’s near and dear not only to our agency, but something that pops up on a daily basis with a lot of our clients. And so in many cases, that could mean communications incident response, which I know we’re going to chat a little bit about later today, down to the planning involved for what to do when there are situations involving cybersecurity as well.
“So a little bit about my background: I have about 20 years of experience in corporate communications as a whole, ranging from financial services on the client side to working on the agency side as well. Our team is about a dozen spread across the country, with clients ranging from startups to multibillion-dollar market cap publicly traded companies. So I’m excited to open up a good conversation here, really about not only cybersecurity, but the business side in terms of what goes on in many cases behind the scenes, which is just as important as well.”
With that, Easterly turned to the final panelist, Jim Skeen Jr.
“I’m the founder of the Lockton office here in San Diego,” Skeen said. “We’re one of the largest insurance brokerage companies in the world. I serve on the boards of the Cyber Center of Excellence; Haiku, which is a very exciting cybersecurity training company; as well as the new Navy SEAL museum board. We’re going to build a very exciting museum here in San Diego. More to follow on that.”
A Very Big Business
At that point, Easterly observed that participants in the Cyber Trends series have spoken a lot about cybersecurity from the technical and workforce perspectives. Cybercrime, she observed, is big business, going on to say that the FBI reports more than $27 billion in cybercrime losses across all industries in the past five years.
She then turned to Ethan Cramer, asking him to describe the systemic risks he has discovered as lead for Operation Cyber Centurion, an initiative focused on proactivity detecting vulnerabilities in critical infrastructure and preventing cyberattacks.
Cramer started off by referencing an article called “The Web of Profit” by university lecturer Mike McGuire, published by Venture Beat. It estimates the revenue from cybercrime is around $1.5 trillion worldwide.
That is “a hard number to wrap your head around,” Cramer said. “To help you, it’s equal to the GDP of Russia. So we’re talking like the 11th largest economy in the world that is cybercrime, and that encompasses illegal marketplaces of trade secrets, data trading, ransomware and so forth. And so I think cybercrime, when we look at it, it’s a massive canvas for any law enforcement agency and we really need to tackle it with a collaborative effort.
“So a couple years ago, just before the pandemic hit, we at HSI here in San Diego asked the question: what can we do with our cyber intrusion group to have the greatest impact on our community? And what we came up with was Operation Cyber Centurion, a threat hunting initiative where we proactively learn the tactics and procedures of cyber criminals. With that information we look at how they are deploying malware, ransomware, data exploitation from networks, through open source intelligence, as well as incident response. We also monitor a variety of cyber threat intelligence feeds to look for critical infrastructure that’s being attacked or will be attacked in the near future.
“With that information, you’re probably asking, what do we do with it? So what we have found to be the most successful is we will create a packet with everything that we have collected, and then instead of emailing it — because we don’t know if their email is compromised — we will send an agent to the physical location to provide them with that packet.
“What that packet has is the tactics that we have known those threat actors to use, the back doors that they’ve used, what to look for, what IP addresses, internal, external, that we have been able to find, so that their SOC [security operations center] and their IT staff is able to take a jumpstart on their response to the incident. I can say that every single entity we’ve gone to has been extremely grateful. It’s a very rewarding experience and we’re happy to grow it and learn from our experiences and move forward.
“We use the cyber kill chain, which many people would identify to be like the Lockheed Martin kill chain. So our goal is there are seven steps to a cyberattack. We just need to cut the chain in one place to completely block it.
“So we do that by looking for vulnerabilities on networks of critical infrastructure as well as active attacks. And so that is our two-pronged approach to the operation. We have conducted north of 350 responses in the last two years to entities that are underneath CISA’s 16 pillars of critical infrastructure, like the hospitals, cities, police stations — things that we use on a day-to-day [basis] that our lives revolve around are what we’re looking to protect. [CISA stands for the U.S. Cybersecurity and Infrastructure Security Agency, another part of the Department of Homeland Security.]
Not ‘If,’ But ‘When’
“We’ve learned that once the dust settles from that, we find that most SOC [security operation center] or IT departments are sometimes just one- or two-man shops, and they’re expected to wear every single possible hat that is associated to technology in their organization. And that is just a massive mountain to climb for them, and to maintain,” Cramer said.
“And so what we continually stress is that there needs to be an open conversation between management and their IT [departments, covering subjects such as] what risks are acceptable and what risks aren’t? They need to practice what will they do during a cyber incident, and do it frequently. Because it’s not an ‘if’ but it’s a ‘when’ situation and we want them prepared for when it does happen.
“So just to close out the question, CloudStrike published a bit ago that exploitations take between one and 10 hours to occur right in your network. And so time is never going to be on our side. So I think it’s imperative that from a defense perspective, we look at what we can do before it actually occurs and we’re prepared for when it does.”
“Yes,” Lisa Easterly said, “an ounce of prevention goes a very long way on the unfortunate other side of the incident.
The Changing Insurance Landscape
“It seems that a lot of businesses think of insurance as a first line of defense,” Easterly said, turning to Jim Skeen. “Jim, as a 40-year veteran in this industry, which has now become the sexy topic du jour, is this the right way to approach cyber insurance? Can you explain how insurance companies underwrite cyber risk and how that differs from other business coverages?
“Sure. So, respectfully, it’s not the right approach,” Skeen said.
“There’s an old saying, we reap what we sow,” he continued. “There are no shortcuts. And that’s really how you want to approach this. You really don’t want to be trying to trade dollars with insurance companies. What you want to do is invest in your business and your people. And the more you do so, you’ll make yourself more insurable for less in premium. So really start there first.
“I get asked all the time, why do insurance companies struggle so much underwriting cyber insurance? And it’s really pretty basic. What is an insurance company? It’s a very large, often publicly traded business, highly regulated, slow moving. They issue a contract, we call it a policy. It consists of terms, conditions, exclusions and different types of pricing mechanisms depending on the line of coverage. But the fundamentals below that is actuarial science applied to decades and decades and decades of settled case law, and then the aggregate across the industry, all different types of insurance, literally tens of millions of settled claims.
“So they start to apply their actuarial science to numbers and case law. They get further into it by getting geographic specific and then vertical specific, after which they drop in the specifications that represent your business’ risk profile, from which emerge as a quote to transfer that risk.
“So the underwriting is interesting because in cyber we don’t have some of those variables. We don’t have decades and decades of settled case law, nor do we have all those paid claims against which they can really start the process. Now they’re getting smarter, but that’s the fundamental difference between property insurance or auto insurance or some other type of insurance that comes to mind. It’s easy to spot a building on fire or a physical injury and that sort of thing, but how does one spot when your business is in the state of post-infection/pre-detection. There’s a lot going on that you don’t know about that you can’t even put on an application or attest to.
“So that’s part of the challenge,” Skeen said.
“Then you get to big issues that the insurance companies are focused on, really big issues: systemic risk, like the grid, or this highly charged, politically charged regulatory and privacy environment. So those become additional factors that are more so present in cyber than in other lines, but definitely influence how they’re trying to underwrite their products.
“Then let’s talk about the war exclusion. War exclusions have been around for centuries. It’s pretty easy to spot the tanks coming over the hill, the planes in the air and the boats shooting at us and that sort of thing, but cyber is completely different. And so how does an insurance company deny a claim based on a war exclusion? Well, last fall, Lloyd’s of London, which is 76 syndicates in London, started to take a harder stance on this, started to say, ‘You know what? We’re going to try to start to find a way to enforce the war exclusion.’
“Just recently, in fact, the Wall Street Journal reported that Merck prevailed on the East Coast. Merck’s insurers were trying to deny coverage for a cyber-related incident based on the war exclusion. But the court found, ‘No, we’re not going to let you do that because no “military” was engaged.’ OK, that stood yesterday. But you can bet the insurance companies are going be very busy trying to think about how they can reword their policies to shield themselves from things that they consider [risky], where they can’t underwrite it. And that is the configuration of nation states, cartels, call centers in India. I mean, all this back and forth. How in the world do you underwrite that when insurance companies don’t have access to networks and the systems Ethan and his team do? So it’s a complex environment.”
Confidence Resting on Bedrock
“Absolutely,” Lisa Easterly said. “Ethan alluded to this: according to IBM, for 83% of companies, it’s not if a data breach will happen, but when. And, unfortunately here in the United States, we hold the title for the highest average cost of a data breach at $9.4 million. What this number does not include is the potential damage to your brand as well as customer, supply chain, employee and investor confidences. Kevin, how can internal and external communications strategies play a role in cyber incident response planning? “
“I would just say cyber as a whole, Lisa, is something that continues to be a huge blind spot for organizations, really across the spectrum,” said Kevin Dinino. “I know a lot of the stats that we’ve talked about here, there’s a massive dollar figure equal to the 11th largest economy. But more importantly, there is a huge amount of brand reputation at risk too, here. And so, when you think about cybersecurity as a whole, really having an action plan that encompasses communications is going to be huge. And in many cases, what that does is it ensures to really align the communications team with the security team with leadership, whether that’s a small group or whether we’re talking about a multinational organization, it can be a larger group. But first and foremost, even having a cyber incident response plan is going to be number one priority.
“From a communication standpoint, again, it’s not going to be ‘if this happens,’ it’s more than likely going to be ‘when this happens, what do we do as an organization?’ So thinking about how do we communicate to our customers, to our employees, to vendors involved? In many cases, if we’re publicly traded, there’s a huge investor and shareholder component as well. Because how you communicate based on an incident can play a huge role in the valuation of the company, in customer and employee trust going forward as well. And so there’s a multitude of factors, but first and foremost, just sitting down with your team and building out an incident response plan in terms of, ‘OK, what do we do as a company here to communicate value to all of these audiences? Who’s in charge of each of these verticals?’
“And ensuring that communications along with a CISO [chief information security officer] or security has a seat at the table with the C-suite as well, because in many instances, what ends up happening is your comms team finds out after the fact. And much like I’m sure a CISO would say, when you’re playing cleanup after the fact, there’s a litany of issues that you can’t correct or be on top of. And so very much like the true cybersecurity planning, when it comes to comms, being ready ahead of time is going to be in many cases the difference between market share decreasing or increasing.
“A couple good examples of that would be if we think back to the Target and Home Depot breaches that have occurred, how the CEOs of those respective companies actually attacked the problem, and really from a comms standpoint accepted some of the – in many cases, the blame – but then were part of that action team in communicating to shareholders, to employees that this is what we’re going to do going forward, really conveying the message of ‘this is under control.’ We know what we’re doing next, here’s what’s happened, et cetera. That message and the importance of the CEO in many cases, leading that narrative is going to be huge.”
“There are so many lessons to be learned from all of these different business units,” said Lisa Easterly. “Ethan, what lessons have you learned from conducting complex cyber investigations in partnership with the U.S. Attorney’s office that all businesses should consider when prioritizing their cybersecurity strategies? And, how can local businesses tap into the resources of HSI’s Cyber Intrusion Group?”
“First, I just want to say that we have a couple of very talented assistant United States attorneys here in the Southern District of California,” said Ethan Cramer. “I’m a huge advocate for them, and they’re an advocate for HSI and especially our Cyber Intrusion Group. So it has been a great relationship to have with them. And as you know, having an expert in this field on your team is invaluable. And I can wholeheartedly say we have that with the Department of Justice here in our district. So that is exciting.
“Second, I think it’s important to bring up what [Deputy Attorney General] Lisa Monaco shared at [the] RSA [cybersecurity conference] a few weeks ago: a shift in how DOJ looks at prioritizing disruptions in cybercrime. So just to quote her, she said that we needed to change our orientation, we needed to pivot to disruption prevention, and make that our focus. And then additionally, she goes on to say that the direction we have given our prosecutors and investigators is you’ve got to have a bias for action and disrupt and prevent [incidents].
“And I think that’s what we’ve done at HSI with Operation Cyber Centurion is, sometimes we can’t actually collect every single log and go through it and present it to a prosecutor for prosecution here in our district. And a disruption is OK, and is actually a massive success in our book. So, I’m excited to say that that is being put out there by DOJ. And I’m excited to say that HSI is wholeheartedly in support of that. So as a member of law enforcement, I think we also need to ask the questions like, how do we get all the information that we have and give it to the victim or the organization so that they have something to work off of and fight another day?
“I think if you look back at history, law enforcement tends to hold things close to their chest. And there’s a lot of really good reasons for that in investigations, not to share information until you get to the end of the case. But when it comes to cyber, I think that is imperative that we share as much as we can, because we all are invested in our communities, not only professionally, but also at home with our own families. And I think we need to get that information out there.
“So to push that just a little bit further, even an organization has a capability to block an attack if they provide the information to HIS. That could be the seed that we can then pivot off of and also assist other victim organizations.
“And so that’s kind of what we’re looking for here at HSI in San Diego: it is to partner with other businesses, take that information that they’re actually able to work off of and block, and then use that to help other people in our community.
“Mature organizations can stop an adversary at the firewall. They can blacklist an IP address and move on about their day. But what about everybody else? We should be able to take that information, pivot and share it so we can leverage our authorities to sinkhole an IP address or a domain so that the entire community can benefit from that.
“And then just to close this out, I think that law enforcement and incident response during an incident have the same goals. We want to find digital artifacts, we want to interpret them and maximize information for defense on a network. And if we can arrest the responsible party, fantastic. I’m pumped about it, I’m excited about it. But if all we can do is disrupt, and also identify other victims and we can make additional disruptions, that is also a massive success in my eyes. So we’re excited to be here and be a member of the community and a resource.”
“We have a board member who always says, ‘never let a good crisis go to waste,’” Lisa Easterly said. “And so making sure that we learn and not just learn as one institution or one company or organization, but proliferating that information out to the rest of our business community is really critical. And I think it’s one of the things that San Diego really does well.”
Olympic Rings and Red Wine
Easterly then turned her attention to Jim Skeen Jr. “The evolving cyber insurance market is making headlines with nation-state attack exclusions, inside out underwriting and detailed control requirements,” she said. “Jim, can you provide an update on the current market and suggestions for our audience to better prepare for their cyber insurance applications and renewals?”
“Twenty years ago, when I first got exposed to cyber insurance, it was really about publicly traded retailers, hospitals and utilities,” Skeen said. “They were the ones primarily looking at this initial product. Five years ago, it was as easy as buying toothpaste. Fast forward, everything has changed. Starting with mandatory controls. You and your business have got to demonstrate in a test tube 10 or more mandatory controls just to qualify for a quote, let alone a favorable one. So that’s step number one.
“The 2023 market has changed and it’s moved favorably. So by that I mean there is more capacity in the market. The underwriters are getting smarter about what they’re doing. There are new entrants, new players bringing new fresh capital. That’s all positive. The rate of premium increases that we’ve seen over the last few years has flattened or moderated. It’s client by client. But that is definitely a positive trend.
“Again, the mandatory controls and the insurers have done a good job, in their view anyway, of shedding clients who just don’t get the message and remain riskier than they care to underwrite. So there’s a lot of culling of the herd, if you will, going on. They’re imposing supplements and coinsurance clauses on businesses that they consider riskier than others. So they’re being more defined there, and they’re being very industry selective. So the ones that stand out that still are more troublesome than others include healthcare, technology and public entities.
“So I want to give you a couple of word pictures to think about as far as preparing. So think about the Olympic logo — five interconnected rings — and pretend that logo is stenciled on a white tablecloth in your dining room, and each of those rings represents a different function for your business. That could be finance, HR, IT, legal, operations. And so now you take a big pitcher of red wine and you spill that on that white tablecloth. That’s a breach, internal, external. But watch it spread and it’s impacting your business functions concurrently. So the question really becomes, does your business have a plan for each ring independently, and then interoperably with the other four? For most businesses, honestly, the answer is no. But you have to start someplace and you need to start moving in this direction.
“Another word picture I’ll give you is the city skyline. Pretend that’s a couple different things. That’s the different types of insurance you’re purchasing: property, liability, auto, medical, management liability for your directors and officers, crime insurance, E&O, all these sorts of things. You really need to do a gap analysis on those different policies to find out which is offering some level of coverage or not, and try to streamline it so you have no gaps and duplications.
“I was recently with an agent who gave me a great example that he uses, which is your family vehicle. Pretend your family vehicle is your networks at your business. And the most precious cargo you might have in your vehicle is an infant. So is your infant — that’s your IP from a business perspective — is that infant standing by the window waving at everybody with no seatbelt on, or is it protected properly? And that’s sort of the mindset that everybody needs to start to get into, which is think of your networks, your most precious IP, what exactly are you doing to protect that, and what can you afford to do or not do?
“The other aspect of that really has to do with your third party partners, the contractual analysis. So that city skyline, think about that: there are some [buildings] bigger and stronger than others. Those represent clients, vendors, suppliers, all the different parties with which you do business and there are probably contractual relationships between you. So look at the indemnification wording, see what risk they’re trying to transfer to you versus you to them, and effectively is this stuff being matched up and contemplated in your pricing? Then at the end of all that process, how does your insurance, how would your insurance respond to this landscape that you’ve presented?
“So really kind of complementing what Ethan and Kevin have been saying all along in my earlier comment, there is no shortcut here. It’s really about first investing in your enterprise and your people. The more so you do that, the better all parties will be.”
“I love the analogy of the Olympic rings,” said Lisa Easterly. “It’s always my favorite one where you actually watch everyone in the audience see the bleed and realize this is something that is not containable.
Baking Cybersecurity Into the Narrative
“Cost is often cited as one of the biggest cybersecurity challenges for small to medium-sized businesses,” Easterly said, turning her attention to Kevin Dinino. “Kevin, you work with a lot of tech and financial startups to raise their profiles for funding and business development opportunities. How has baking cybersecurity into the narrative helped with their ROI?”
“I think founders really, when it comes to startups and even more established companies, need to prioritize cybersecurity from an investment standpoint, and truly view that as an investment in terms of an asset in many cases,” Dinino said.
“I know we talked about sort of funding issues or shareholder communications, et cetera. But there’s a huge sort of risk management component to this as well, simply from the standpoint of you can’t afford to have this go wrong. And so much like there’s a variety of cybersecurity solutions — I know Jim and Ethan talked through many of them — there’s a lot more nowadays that are very much cost effective. And so when applying crisis communications really to any scenario that involves cyber, a lot of it needs to be, in many cases, viewed as a risk management expense, as a whole.
“I should say investment, and not as an expense, just to be clear as well, because the reputational hit that can happen is just too big of a risk.
“And so when thinking about communications, as it pairs with cybersecurity, view it through the lens of crisis response and view it through the lens of an investment, and really an insurance policy. I know we’ve talked about the actual insurance side of it, but in many cases, the communications is that policy.”
“We’ve seen this work for a lot of companies in our region,” Lisa Easterly said, “Even prior to the FDA determining that cybersecurity needs to be part of their new applications for medical device companies, we have organizations in our region like MedCrypt that baked cybersecurity in from the get-go, and it’s been part of their marketing strategy that’s been incredibly successful for them. So I’m excited to continue to see how that develops as again, new markets and new legislation and the regulatory environment continues to evolve.”
Easterly then asked each panelist for a final thought.
“I just want to reiterate that HSI is here in San Diego to be a resource,” said Ethan Cramer of Homeland Security Investigations.
“We’re a large federal agency that wants to see how we can take information on the law enforcement side and use it on [the side of] the private sector to protect networks. If you see us knocking on your door, we’re probably going be there just to help you, so please take what we have as that. If there’s anything you might need, please reach out and we’d be happy to [respond].
“So I think it is very important that it’s a ‘when,’ not an ‘if,’ and that practice, practice, practice for when that does happen.”
“Thank you and thanks to the San Diego Business Journal,” said Jim Skeen Jr. “You know, the CCOE created the executive briefing series about five or six years ago, and we’re proud of the fact that we do eight to 10 presentations a year. We put the federal law enforcement, FBI, Secret Service, HSI, now in front of, I think it’s 3,500 businesses in San Diego County. So we’re proud of that because we want to, on the private side, assist the agents to better protect us. Their time is precious, their resources are limited. The more we can reach out and partner with them, the better we’re all going to be. So it’s just a thank you for that. It’s a great collaboration and we enjoy working with each other.”
“Planning, planning, planning, right?” said Kevin Dinino. “In many cases, Ethan talked through the ‘when’ and ‘if’ conundrum. Everyone’s going to be breached at some point. So planning your communications response, knowing who’s saying what, knowing what audiences need to be communicated with are going to be huge. Don’t be caught as the company that ends up calling experts like us once the you-know-what has already hit the fan. In that case, it’s already too late. So again, all about the planning.”
“Many thanks Ethan, Kevin and Jim for the insightful discussion!” Lisa Easterly said. “We invite businesses and job seekers to visit CCOE’s website at sdccoe.org for more information and free resources, including links to Ethan’s website.”
With a final thank you to the audience, Easterly said CCOE is looking forward to the next San Diego Business Journal Cyber Trends panel discussion in the summer.